AI Security Review
scanned 2h ago · by lpm-firewall-aiAt application runtime, the exported HTTP client can attach an embedded fallback JWT to workflow API requests. No install-time execution or confirmed exfiltration path is established.
Static reason
One or more suspicious static signals were detected.
Trigger
A consuming application invokes `HttpWebRequestService` without configuring `environment.Token`.
Impact
May expose or unintentionally use a packaged credential against the configured workflow API.
Mechanism
Runtime HTTP requests include a hard-coded fallback Authorization token.
Rationale
The embedded fallback credential is a real security risk, but the inspected source is an Angular UI client whose network behavior is consumer-invoked and configured by the host application. It is suspicious rather than demonstrably malicious.
Evidence
package.jsonfesm2022/verben-workflow-ui-src-lib-services.mjsesm2022/src/lib/services/http-web-request.service.mjs
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `fesm2022/verben-workflow-ui-src-lib-services.mjs` embeds a JWT as the fallback `Authorization` value.
- The token is automatically attached when consumers call the exported HTTP request service without an environment token.
Evidence against
- `package.json` has no lifecycle scripts or executable bin entrypoints.
- Requests use a consumer-supplied `environment.WorkFlowAPI`; no fixed external host is embedded.
- No inspected source showed filesystem access, shell execution, dynamic code loading, credential harvesting, or persistence.
Behavioral surface
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcefesm2022/verben-workflow-ui-src-lib-services.mjsView file
52patternName = supabase_service_key
severity = critical
line = 52
matchedText = Authoriz...9g',
Critical
Critical Secret
Package contains a critical-looking secret pattern.
fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L5252patternName = supabase_service_key
severity = critical
line = 52
matchedText = Authoriz...9g',
Critical
Secret Pattern
Supabase service role key (JWT) in fesm2022/verben-workflow-ui-src-lib-services.mjs
fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52esm2022/src/lib/services/http-web-request.service.mjsView file
26patternName = supabase_service_key
severity = critical
line = 26
matchedText = Authoriz...9g',
Critical
Secret Pattern
Supabase service role key (JWT) in esm2022/src/lib/services/http-web-request.service.mjs
esm2022/src/lib/services/http-web-request.service.mjsView on unpkg · L26Findings
3 Critical3 Low
CriticalCritical Secretfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternesm2022/src/lib/services/http-web-request.service.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License